Hello,
(I hope everyone’s well)
Anyway I have 2 big issues with LDAP authentications (I use LDAP authenticator 9.4.4)…
First, my ldapsearch found a user id with this filter
xwiki.authentication.ldap.user_group=(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))
but when I use the same filter in xwiki.cfg this user have denied access…
I compare 2 ldap entries users (one allowed to connect at xwiki) and found that user attribute are sorted differently
ie pascal.bxxx is allowed to login on xwiki but not xwiki.lecteur
ldapsearch -h myldap.fr -x -b ou=xxx,dc=fr '(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))'
displayed these users
# xwiki.lecteur xxxxxxxxx
dn: uid=xwiki.lecteurxxxxxxxxxxxxxxxxxx
mineqAccesInternet: INITIAL
givenName: Xwiki
mineqZone: EQUIP
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: mineqPerson
objectClass: calEntry
objectClass: sambaSamAccount
objectClass: posixAccount
xwiki logs displayed:
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user xwiki.lecteur does not belong to LDAP group (&(objectClass=mineqPerson)(!(mineqZone=EXTERNE))).
# pascal.bxxx xxxxxxxxxxxxxxxxx
dn: uid=pascal.bxxxxxxxxxxxxxxxxxxxx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: mineqMelBoite
objectClass: calEntry
objectClass: mineqPerson
objectClass: sambaSamAccount
objectClass: posixAccount
mineqTypeEntree: BALI
mineqMelRemise: LMTP
mineqMelServeurPrincipal: xxxx
calFBURL: https://axxxxx
mineqZone: EQUIP
xwiki logs displayed:
- Checking if the user belongs to the user group: (&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))
2020-04-03 14:16:43,895 [https://myxwiki.fr/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Found cache entry for group [(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))]
2020-04-03 14:16:43,895 [https://myxwiki.fr/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Checking if the user belongs to the user group: (&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))
- Found group [(&(objectClass=mineqPerson)(!(mineqZone=EXTERNE)))]
- Found user dn in user group [uid=pascal.bxxx,
Second issue, \ character didn’t work when I map xwiki and ldap groups with this filter:
LDAP log displayed tant \ escape character didn’t work!
my xwiki.cfg:
xwiki.authentication.ldap.group_mapping=XWiki.GF_SNUM=(&(objectClass=mineqPerson)(\|(departmentNumber=SG/SPSSI/CPII*)(departmentNumber=SG/SNUM*)(departmentNumber=SG/SPSSI/SIAS*)))
I escape | (or) LDAP instruction with \
and ldap logs displayed:
- [(&(objectClass=mineqPerson)(] is not a valid LDAP filter, lets try id
and
- [SG/SPSSI/CPII*)(departmentNumber=SG/SNUM*)(departmentNumber=SG/SPSSI/SIAS*)))] is not a valid LDAP filter, lets try id
com.novell.ldap.LDAPLocalException: Filter Error
ldapsearch working well with same ldap query (without \ of course).
Thxs for any help
Pascal B